Penetration Testing Tools

By Mohammed AlSubayt
Information Gathering:
1. Nmap
• Description: Network exploration tool and security/port scanner.
• Example: nmap -A scanme.nmap.org
2. Shodan
• Description: Search engine for internet-connected devices.
• Example: Use the Shodan website or CLI: shodan search "apache"
3. Maltego
• Description: Visual link analysis tool for gathering and connecting online information.
• Example: GUI-based; explore entities and relationships.
4. TheHarvester
• Description: E-mail, subdomain, and people names harvester from different public sources.
• Example: theHarvester -d example.com -b google
5. Recon-NG
• Description: A full-featured Web Reconnaissance framework written in Python.
• Example: CLI-based; start with recon-ng , then marketplace search recon .

6.Amass
1. Description: In-depth DNS enumeration, attack surface mapping, and external asset discovery.
2. Example: amass enum -d example.com 
7.Censys
1. Description: Search engine for discovering devices and networks across the internet.
2. Example: Use the Censys website or API: censys search "80.http.get.title: 'Apache2 Ubuntu
Default Page'"
8.OSINT Framework
1. Description: A framework focused on gathering information from free tools or resources.
2. Example: Navigate through the framework online at osintframework.com.
9.Gobuster
1. Description: Directory/file, DNS, and VHost brute-forcing tool.
2. Example: gobuster dir -u http://example.com -w wordlist.txt


Exploitation:
1. Burp Suite
• Description: An integrated platform for performing security testing of web applications.
• Example: Use the Proxy and Intruder tools within the GUI.
2. Metasploit Framework
• Description: A tool for developing and executing exploit code against a remote target machine.
• Example: msfconsole , then use exploit/multi/handler
3. SQLmap
• Description: Automated detection and exploitation of SQL injection flaws.
• Example: sqlmap -u "http://example.com/page?id=1" --dbs
Password Cracking:
1. John The Ripper
• Description: Multi-purpose password recovery tool.
• Example: john --wordlist=wordlist.txt hashes.txt
2. Hydra
• Description: Fast network logon cracker.
• Example: hydra -l user -P passlist.txt ftp://192.168.0.1
3. Hashcat
• Description: World's fastest and most advanced password recovery utility.
• Example: hashcat -m 0 -a 0 hash.txt wordlist.txt
4. OPHCrack
• Description: Windows password cracker based on rainbow tables.
• Example: GUI-based; load the hashes and start cracking.

5. Medusa
1. Description: Speedy, parallel, and modular, login brute-forcer.
2. Example: medusa -h 192.168.0.1 -u user -P passlist.txt -M ssh
6. THC-Hydra
1. Description: Another reference to the Hydra tool, emphasizing its versatility.
2. Example: See Hydra example.
7. Cain & Abel
1. Description: Windows password recovery tool.
2. Example: GUI-based; used for recovering passwords from captures or cracking encrypted passwords.
Vulnerability Scanning:
1. OpenVAS
• Description: Open-source vulnerability scanning and management framework.
• Example: GUI-based; configure and run scans through the Greenbone Security Assistant.
2. Nessus
• Description: Widely used vulnerability scanner with high-speed discovery, configuration auditing, and asset
profiling.
• Example: Proprietary; after setup, nessus -q -x [target IP] [port] [policy file] [results
file]
3. AppScan
• Description: Application security testing tool to identify and manage vulnerabilities in web, mobile, and desktop
applications.
• Example: Proprietary; typically GUI-driven, scan configurations are done through its interface.


4. Lynis
1. Description: Security auditing tool for Unix/Linux systems.
2. Example: lynis audit system
5. Retina
1. Description: Network security scanner that offers vulnerability assessment and remediation.
2. Example: Proprietary; GUI-based, scan configurations and scheduling through its interface.
6. Nexpose
1. Description: Vulnerability management solution, identifies risks across networks, endpoints, and cloud
environments.
2. Example: Proprietary; after setup, initiate scans via the web interface.
Software Engineering:
1. GoPhish
• Description: Open-source phishing toolkit designed for businesses and penetration testers.
• Example: GUI-based; configure campaigns and monitor results through the web interface.
2. HiddenEye
• Description: Modern phishing tool with advanced functionality.
• Example: Command-line; setup phishing pages and monitor through terminal.
3. SocialFish
• Description: Advanced phishing toolkit for simulating social engineering attacks.
• Example: Command-line; deploy using python SocialFish.py

4. EvilURL
1. Description: Generate unicode evil domains for IDN Homograph Attack and detect them.
2. Example: Command-line; use python evilurl.py to generate.
5. Evilginx
1. Description: Man-in-the-middle attack framework used for phishing login credentials along with session cookies,
allowing for bypassing 2-factor authentication.
2. Example: Command-line; setup phishing pages with evilginx2 setup
Forensics:
1. Sleuth Kit
• Description: Collection of command-line tools to analyze disk images and recover files.
• Example: fls image.dd to list files and directories within an image.
2. Autopsy
• Description: Graphical interface to The Sleuth Kit and other digital forensics tools.
• Example: GUI-based; create a new case and add data sources to begin analysis.
3. Volatility
• Description: Advanced memory forensics framework.
• Example: volatility -f memorydump.img pslist
4. Guymager
• Description: Free forensic imager for media acquisition.
• Example: GUI-based; select a device and start acquisition to an image file.

5. Foremost
1. Description: Program to recover lost files based on their headers, footers, and internal data structures.
2. Example: foremost -i image.dd
6. Binwalk
1. Description: Tool for searching a given binary image for embedded files and executable code.
2. Example: binwalk firmware.bin
7. Wireshark
1. Description: Network protocol analyzer used for network analysis, troubleshooting, software and protocol
development.
2. Example: GUI-based; capture or open a packet capture file to analyze.
Wireless Hacking:
1. Aircrack-NG
• Description: Suite of tools for 802.11 wireless networks' auditing.
• Example: aircrack-ng capture-01.cap
2. Wifite
• Description: Automated wireless attack tool.
• Example: wifite --kill
3. Kismet
• Description: Wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion
detection) framework.
• Example: kismet -c wlan0
4. TCPDump
• Description: Command-line packet analyzer.
• Example: tcpdump -i eth0

5. Airsnort
1. Description: Wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks.
2. Example: GUI-based; capture packets and analyze.
6. NetStumbler
1. Description: Tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a, and 802.11g
WLAN standards.
2. Example: GUI-based; scan for networks.
7.Reaver
1. Description: WPA/WPA2 security hole exploitation tool (attacks against WPS).
2. Example: reaver -i wlan0mon -b 00:01:02:03:04:05 -vv
Web Application Assessment:
1. OWASP ZAP (Zed Attack Proxy)
• Description: Open-source web application security scanner.
• Example: GUI-based; automated and manual testing tools.
2. Burp Suite
• Description: Integrated platform for performing security testing of web applications.
• Example: GUI-based; intercepting proxy, scanner, and intruder tools.
3. Nikto
• Description: Web server scanner which performs comprehensive tests against web servers for multiple items.
• Example: Command-line; nikto -h www.example.com
4. ZAP
• Already described under OWASP ZAP.

5. WPScan
1. Description: Black box WordPress vulnerability scanner.
2. Example: wpscan --url www.examplewebsite.com
6. Gobuster
1. Description: Tool used to brute-force URIs (directories and files) in web sites and DNS subdomains.
2. Example: gobuster dir -u http://www.example.com -w wordlist.txt
7. AppSpider
1. Description: Automatically crawls and scans all types of legacy and modern web applications.
2. Example: Proprietary; GUI-based, configure scans through its interface.